An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | C:* |
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed into our output file | Path | *.docx |
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar |
rar a -r #{output_file} #{input_file}
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/* |
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip |
zip #{output_file} #{input_files}
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt |
gzip -f #{input_file}
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
Supported Platforms: Linux, macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/ |
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz |
tar -cvzf #{output_file} #{input_file_folder}